Trojan.Siggen9.57648

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'SysHelper' = '"%LOCALAPPDATA%\4575c98b-fe31-424b-8712-758e7b140b94\E70B.tmp.exe" --AutoStart'

Creates or modifies the following files

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\nazmcmff] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\nazmcmff] 'ImagePath' = '%WINDIR%\SysWOW64\nazmcmff\jawdutxb.exe /d"%TEMP%\F843.tmp.exe"'

Malicious functions

Executes the following

'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul

Modifies file system

Creates the following files

%APPDATA%\microsoft\windows\twhgburh\whvwgtdw.exe
%TEMP%\config.ini
%TEMP%\b8a9.tmp.exe
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\pig39t5x\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\a5c4m2yz\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\v92wv4zy\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\cqzx2659\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%TEMP%\logo.gif
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%TEMP%\is-im943.tmp\directultramediaburner.exe.config
%TEMP%\is-im943.tmp\idp.dll
%TEMP%\is-im943.tmp\_isetup\_shfoldr.dll
%TEMP%\is-im943.tmp\_isetup\_setup64.tmp
%TEMP%\is-bbmi1.tmp\f19.tmp.tmp
%TEMP%\f19.tmp.exe
%TEMP%\489.tmp.exe
%TEMP%\jawdutxb.exe
%TEMP%\f843.tmp.exe
%LOCALAPPDATA%\4575c98b-fe31-424b-8712-758e7b140b94\e70b.tmp.exe
%TEMP%\eefb.tmp.exe
%TEMP%\e70b.tmp.exe
%TEMP%\1da1.tmp.exe
%APPDATA%\mozilla\firefox\profiles\gn7ryp~1.def\cookies.sqlite-shm

Sets the 'hidden' attribute to the following files

%APPDATA%\microsoft\windows\twhgburh\whvwgtdw.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\cqzx2659\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\v92wv4zy\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\a5c4m2yz\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\pig39t5x\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini

Deletes the following files

Moves the following files

Deletes itself.

Network activity

Connects to

TCP

HTTP GET requests

HTTP POST requests

'ap#.2ip.ua':443

'ul###########urner.s3.eu-west-2.amazonaws.com':443

'te##te.in':443

'yi#.su':443

UDP

Miscellaneous

Creates and executes the following

'%TEMP%\e70b.tmp.exe'
'%TEMP%\b8a9.tmp.exe'
'%TEMP%\f843.tmp.exe'
'%TEMP%\489.tmp.exe'
'%TEMP%\e70b.tmp.exe' --Admin IsNotAutoStart IsNotTask
'%TEMP%\eefb.tmp.exe'
'%TEMP%\f19.tmp.exe'
'%TEMP%\is-bbmi1.tmp\f19.tmp.tmp' /SL5="$F01F0,146532,62464,%TEMP%\F19.tmp.exe"
'%TEMP%\1da1.tmp.exe'
'%WINDIR%\syswow64\nazmcmff\jawdutxb.exe' /d"%TEMP%\F843.tmp.exe"
'%WINDIR%\syswow64\icacls.exe' "%LOCALAPPDATA%\4575c98b-fe31-424b-8712-758e7b140b94" /deny *S-1-1-0:(OI)(CI)(DE,DC)' (with hidden window)
'%WINDIR%\syswow64\sc.exe' description nazmcmff "wifi internet conection"' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
'%WINDIR%\syswow64\sc.exe' start nazmcmff' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\jawdutxb.exe" %WINDIR%\SysWOW64\nazmcmff\' (with hidden window)
'%WINDIR%\syswow64\sc.exe' create nazmcmff binPath= "%WINDIR%\SysWOW64\nazmcmff\jawdutxb.exe /d\"%TEMP%\F843.tmp.exe\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\nazmcmff\' (with hidden window)
'%TEMP%\jfiag_gg.exe' /scookiestxt %TEMP%\fjgha23_fa.txt' (with hidden window)

Executes the following

'%WINDIR%\syswow64\icacls.exe' "%LOCALAPPDATA%\4575c98b-fe31-424b-8712-758e7b140b94" /deny *S-1-1-0:(OI)(CI)(DE,DC)
'%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\nazmcmff\
'%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\jawdutxb.exe" %WINDIR%\SysWOW64\nazmcmff\
'%WINDIR%\syswow64\sc.exe' create nazmcmff binPath= "%WINDIR%\SysWOW64\nazmcmff\jawdutxb.exe /d\"%TEMP%\F843.tmp.exe\"" type= own start= auto DisplayName= "wifi support"
'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
'%WINDIR%\syswow64\sc.exe' description nazmcmff "wifi internet conection"
'%WINDIR%\syswow64\sc.exe' start nazmcmff
'<SYSTEM32>\taskeng.exe' {6EE64C4C-460A-4528-8AAA-9A7513DAB473} S-1-5-21-1960123792-2022915161-3775307078-1001:lcnowhbtv\user:Interactive:[1]